opensmtpd (6.0.2p1-2+deb9u3) stretch-security; urgency=high * Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. OpenBSD 6.6 errata 021: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig -- Ryan Kavanagh Tue, 25 Feb 2020 12:09:37 -0500 opensmtpd (6.0.2p1-2+deb9u2) stretch-security; urgency=high * Fix following vulnerability, 018_smtpd_tls.patch.sig: smtpd can crash on opportunistic TLS downgrade, causing a denial of service. -- Ryan Kavanagh Wed, 29 Jan 2020 14:34:22 -0500 opensmtpd (6.0.2p1-2+deb9u1) stretch-security; urgency=high * Fix privilege escalation vulnerability, 019_smtpd_exec.patch.sig. An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user. (Closes: #950121) (CVE-2020-7247) -- Ryan Kavanagh Tue, 28 Jan 2020 20:28:49 -0500 opensmtpd (6.0.2p1-2) unstable; urgency=medium * Let smtpd create its spool directory tree instead of shipping it. This fixes errors regarding directories with incorrect owners. Thanks to Harald Dunkel for a patch. (Closes: #843978) * Actually remove the spool directory on purge. -- Ryan Kavanagh Tue, 07 Mar 2017 09:33:17 -0500 opensmtpd (6.0.2p1-1) unstable; urgency=medium * Added Brazilian Portuguese debconf templates translation (Closes: #829336) * Added missing dependency on ed (Closes: #834280) * Switch B-D to libssl1.0-dev while upstream determines how to best transition to OpenSSL 1.1 (Closes: #828473) * Fix manpage formatting issues (Closes: #832008) * Added missing dependency on lsb-base * Add missing build-dependency on zlib1g-dev * Add lintian override for spelling mistake in copyright text -- Ryan Kavanagh Fri, 25 Nov 2016 15:51:28 -0500 opensmtpd (5.9.2p1-1) unstable; urgency=medium * New upstream release + Drop 04_no_mailq.diff, 11_smtpd.conf.5_typo.diff: no longer needed * Make debian-branch for sid debian/sid * Updated copyright holders * Updated standards-version to 3.9.8 * Fix bug in getalias() in debian/config * Don't install empty /usr/bin in opensmtpd package * Update lintian override for missing-license-paragraph-in-dep5-copyright * Update our configure options to reflect name changes * Install missing links to smtpctl for makemap and newaliases * opensmtpd now requires different permissions and ownership for the offline queue and purge directories; update these accordingly -- Ryan Kavanagh Sat, 11 Jun 2016 14:21:51 -0400 opensmtpd (5.7.3p2-1) unstable; urgency=medium * New upstream release + Fixes segfault when relaying mail (Closes: #813398) * Make Vcs-* URLs secure * 'fortify' hardening option no longer detects false-positive buffer overflow when processing offline queue. Reenabling. + Accordingly, drop unneeded hardening-no-fortify overrides. -- Ryan Kavanagh Thu, 11 Feb 2016 09:09:22 -0500 opensmtpd (5.7.3p1-1) unstable; urgency=high * New upstream release + Fixes security issues (Closes: #800787, CVE-2015-7687). This point release also features fixes to security issues that weren't part of the Qualsys audit. + No longer have conflicting declarations of fatal in source (Closes: #749810) * Drop 02_hyphen_as_minus_sign.diff, 06_man_cleanup.diff, 11_compile_warnings.diff, 12_ssl_check.diff. All applied upstream * Updated 07_automake_missing_options.diff to reflect changes to upstream source * Fix typo in manpage, 11_smtpd.conf.5_typo.diff * Update the copyright file * Drop our local copy of the upstream changelog * Recommend opensmtpd-extras: the tables and filters have been forked off into a separate project upstream * (Build-)Depend on libasr: this library has also forked off into a stand-alone project * Drop useless build-dependencies on autoconf/automake/libtool: these are already brought in by dh-autoreconf * Update lintian overrides: we drop overrides for filters moved to opensmtpd-extras, add overrides due to a broken dep5 check, and override spelling-error-in-copyright (the error is in the license text) * Update configure options in rules to continue building the db table and makemap -- Ryan Kavanagh Sun, 01 Nov 2015 20:56:47 -0500 opensmtpd (5.4.2p1-4) unstable; urgency=medium * Don't abort on unseen flags in debconf (Closes: #770939) * Added Dutch translations. (Closes: #767303) Thanks to Frans Spiesschaert * Bump standards version to 3.9.6 * Updated debian/copyright to conform to dep5 -- Ryan Kavanagh Fri, 06 Feb 2015 13:04:56 -0500 opensmtpd (5.4.2p1-3) unstable; urgency=medium * Specify location of CA certificates when running ./configure; fixes broken certificate verification when establishing encrypted connection (Closes: #756069) -- Ryan Kavanagh Sat, 26 Jul 2014 12:08:25 +0200 opensmtpd (5.4.2p1-2) unstable; urgency=medium * Disable fortify, fixes sigabort on buffer overflow false positive * Fix broken SSL version check, 12_ssl_check.diff (Closes: #748150) -- Ryan Kavanagh Wed, 11 Jun 2014 21:30:20 +0200 opensmtpd (5.4.2p1-1) unstable; urgency=medium * Imported Upstream version 5.4.2p1 + Drop 05_no_smtpscript.diff, no longer needed + Drop 08_man_errors.diff, applied upstream + Drop 09_hyphens_in_man.diff, applied upstream * This build against the new openssl package permits opensmtpd to start again (Closes: #748513); the underlying problem has been reported upstream * Install CONFIG-UPDATE.txt.gz (Closes: #741238) * Get rid of unnecessary compile time warnings, 11_compile_warnings.diff (Closes: #747666). Thanks to Benny Baumann for the patch. * Update copyright file with new holders and years * Update lintian overrides with new false positives for hyphens in man pages. -- Ryan Kavanagh Thu, 22 May 2014 21:34:02 +0200 opensmtpd (5.4.1p1-1) unstable; urgency=medium * New upstream release (Closes: #732989) * Updated copyright file * Drop the following patches: + 01_binary_typos.diff, applied upstream + 03_no_hardlinks.diff, applied upstream + 07_mailname.diff, applied upstream + 08_empty_alias.diff, applied upstream + 10_automake_114.diff, no longer needed + 11_sys-mount.h_hurd.diff, applied upstream + 12_kfreebsd-hurd_crypt.h.diff, applied upstream + 13_reserve_inodes.diff, applied upstream + 14_syslog_prognames.diff, applied upstream * Add missing automake options, 07_automake_missing_options.diff, and use dh-autoreconf to update the autotools files * Fix man errors due to unknown command, 08_man_errors.diff * Don't use hyphens as minus signs, 09_hyphens_in_man.diff, and override lintian's false-positives due to the mdoc format * Update the path to aliases in the default smtpd.conf to reflect the location specified by Debian policy, 10_smtpd.conf.diff * Update debian/rules with new configure option names * We no longer need the opensmtpf user; no longer create it and delete the account on upgrade from 5.3.3p1 * Added translations: + Spanish (Closes: #727017) Thanks to Camaleón + Portuguese (Closes: #729923) Thanks to Américo Monteiro + German (Closes: #730452) Thanks to Chris Leick * Update standards version to 3.9.5 * Install the upstream changelog / release notes * Added a NEWS file advising users of the changes to config and refer to (included) config upgrade notes based on those from the opensmtpd wiki -- Ryan Kavanagh Sun, 02 Feb 2014 09:57:15 -0500 opensmtpd (5.3.3p1-4) unstable; urgency=low * Added French translations (Closes: #724343) Thanks to Jean-Pierre Giraud * Added Swedish translation (Closes: #725103) Thanks to Martin Bagge * Don't truncate process names in syslog, 14_syslog_prognames.diff (Closes: #724062) -- Ryan Kavanagh Sun, 20 Oct 2013 08:07:22 -0400 opensmtpd (5.3.3p1-3) unstable; urgency=low * Fix filesystem queue issue on btrfs, 13_reserve_inodes.diff (Closes: #723893) -- Ryan Kavanagh Sat, 21 Sep 2013 09:58:14 -0400 opensmtpd (5.3.3p1-2) unstable; urgency=low * The BSD-4-clause license is actually BSD-3-clause + restrictions; update debian/copyright accordingly * Added Russian translations (Closes: #721269); Thanks Yuri Kozlov  * Fix FTBFS on hurd-i386 due to missing sys/mount.h, 11_sys-mount.h_hurd.diff * Check if -lcrypt is needed on GNU/kFreeBSD, GNU/Hurd; fixes FTBFS, 12_kfreebsd-hurd_crypt.h.diff * Drop the -r (--relative) argument to ln, it isn't supported on all architectures yet and was causing a FTBFS on those architectures, affects 03_no_hardlinks.diff and 04_no_mailq.diff -- Ryan Kavanagh Tue, 10 Sep 2013 19:00:18 -0400 opensmtpd (5.3.3p1-1) unstable; urgency=low * Initial release (Closes: #706985) -- Ryan Kavanagh Sat, 07 Sep 2013 12:29:01 -0400